CVE-2025-8064 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Bible SuperSearch plugin for WordPress, developed by aicwebtech. This vulnerability arises from improper neutralization of input during web page generation, specifically related to the 'selector_height' parameter. Versions up to and including 6.0.1 are affected. The flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored and executed whenever any user accesses the compromised page, this can lead to persistent XSS attacks. The vulnerability is due to insufficient input sanitization and output escaping, which fails to properly cleanse malicious payloads before rendering them in the web page context. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact includes partial loss of confidentiality and integrity, as attackers can execute scripts in the context of other users, potentially stealing session tokens, performing actions on behalf of users, or defacing content. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is significant because WordPress is widely used across many organizations, and plugins like Bible SuperSearch are often installed to enhance site functionality. The requirement for authenticated access limits exploitation to users with some level of trust, but Contributor-level access is relatively common in collaborative environments, increasing risk. The persistent nature of the XSS means that once injected, the malicious script can affect multiple users over time, amplifying impact.

For European organizations, this vulnerability poses a risk primarily to websites running WordPress with the Bible SuperSearch plugin installed. The ability for an attacker with Contributor-level access to inject persistent scripts can lead to data leakage, session hijacking, and unauthorized actions performed on behalf of legitimate users. This can compromise user privacy and data protection obligations under GDPR, potentially leading to regulatory penalties. Additionally, the integrity of website content can be undermined, damaging organizational reputation. Since many European organizations use WordPress for public-facing websites, including NGOs, educational institutions, and small to medium enterprises, the threat is relevant. The vulnerability could be exploited to target internal users or customers, especially in environments where Contributor roles are assigned to multiple users. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing the risk of broader impact within the affected web application. Although no active exploits are reported, the medium severity and ease of exploitation (low complexity, no user interaction) warrant proactive mitigation to prevent potential attacks.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Implement strict input validation and output encoding on the 'selector_height' parameter within the Bible SuperSearch plugin code to neutralize malicious scripts. Since no official patch is currently available, organizations should consider applying custom patches or temporary code fixes to sanitize inputs and escape outputs properly. 3. Monitor WordPress user activity logs for unusual behavior from Contributor-level accounts, such as unexpected content changes or script injections. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting the affected parameter. 5. Educate site administrators and content contributors about the risks of XSS and safe content management practices. 6. Regularly check for updates from the plugin vendor and apply official patches promptly once released. 7. Conduct security audits and penetration testing focusing on plugin vulnerabilities to identify and remediate similar issues proactively.